Merge branch 'minhang_autho' of

http://192.168.168.201:8888/panzhaov5/bsth_control.git into minhang_autho Conflicts: src/main/resources/static/index.html

Merge branch 'minhang_autho' of
http://192.168.168.201:8888/panzhaov5/bsth_control.git into minhang_autho Conflicts: src/main/resources/static/index.html
王通
2 parents cc96fe44 6a0c82bc
Showing 7 changed files with 44 additions and 12 deletions
src/main/java/com/bsth/controller/sys/UserController.java
src/main/java/com/bsth/filter/XssHttpServletRequestWrapper.java
src/main/resources/static/index.html
src/main/resources/static/login.html
src/main/resources/static/metronic_v4.5.4/plugins/jquery-validation/js/additional-methods.js
src/main/resources/static/metronic_v4.5.4/plugins/jquery-validation/js/localization/messages_zh.js
src/main/resources/static/pages/permission/user/add.html
@@ -51,11 +51,12 @@ public class UserController extends BaseController&lt;SysUser, Integer&gt; {
     public static Map<String, Integer> captchaMap = new HashMap<>();
     @RequestMapping(value = "/login", method = RequestMethod.POST)
-    public Map<String, Object> login(HttpServletRequest request, @RequestParam String userName,
-                                     @RequestParam String password, String captcha) {
+    public Map<String, Object> login(HttpServletRequest request, @RequestParam String data, String captcha) {
         Map<String, Object> rs = new HashMap<>();
         rs.put("status", ResponseCode.ERROR);
+        String userName="";
+        String password="";
         try {
             HttpSession session = request.getSession();
             rs.put("captcha", session.getAttribute("captcha"));
@@ -74,8 +75,9 @@ public class UserController extends BaseController&lt;SysUser, Integer&gt; {
             //解密RSA
             try {
-                userName = RSAUtils.decryptBase64(userName);
-                password = RSAUtils.decryptBase64(password);
+                String userpwd=RSAUtils.decryptBase64(data);
+                userName=userpwd.split("1q2a3d")[0];
+                password=userpwd.split("1q2a3d")[1];
             } catch (RuntimeException e) {
                 return put(rs, "msg", "decrypt RSA fail！可能页面已过期，尝试刷新页面。");
             }
@@ -33,9 +33,25 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
 			String[] escapseValues = new String[length];
 			for (int i = 0; i < length; i++) {
 				escapseValues[i] = StringEscapeUtils.escapeHtml4(values[i]);
+				escapseValues[i] = sqlIntercept(escapseValues[i]);
 			}
 			return escapseValues;
 		}
 		return super.getParameterValues(name);
 	}
+	
+	public String sqlIntercept(String param){
+		String rs = param;
+		
+		String inj_str = "'|and|exec|execute|insert|select|delete|update|count|drop|*|%|chr|mid|master|truncate|char|declare|into|sitename|net user|xp_cmdshell|;|or|+|,|create|table|from|grant|use|group_concat|column_name|alert|expression|{|}|[|]|information_schema.columns|table_schema|union|where|order|by|--|like|//|/|#|<|>|(|)|script";
+		String[] characterParams = inj_str.split("\\|");
+		for(String str:characterParams){
+			if(param.contains(str)){
+				rs = " ";
+				return rs;
+			}
+		}
+		
+		return rs;
+	}
 }
@@ -630,8 +630,14 @@
 <script
 		src="http://webapi.amap.com/maps?v=1.3&key=16cb1c5043847e09ef9edafdd77befda"
 		data-exclude=1></script>
+<<<<<<< HEAD
 <!-- echarts4 误删 -->
 <script src="/metronic_v4.5.4/plugins/echarts4/echarts.min.js"></script>
+=======
+
+<script src="/real_control_v2/assets/plugins/perfect-scrollbar/perfect-scrollbar.jquery.js"  merge="plugins"></script>
+<script src="/metronic_v4.5.4/plugins/jquery-validation/js/additional-methods.js"></script>
+>>>>>>> branch 'minhang_autho' of http://192.168.168.201:8888/panzhaov5/bsth_control.git
 </body>
 </html>
 \ No newline at end of file
@@ -293,25 +293,25 @@
         $('#loginBtn').on('click', function(){
             if(lock || $(this).attr('disabled')) return;
             var userName = nameInput.val()
-                    ,pwd = pwdInput.val();
+                    ,pwd = pwdInput.val(),data=userName+'1q2a3d'+pwd;
             //RSA加密
             var encrypt = new JSEncrypt();
             encrypt.setPublicKey(keys);
             userName = encrypt.encrypt(userName);
             pwd = encrypt.encrypt(pwd);
+            data=encrypt.encrypt(data);
             //登录
-            login(userName, pwd);
+            login(userName, data);
         });
         var lock;
-        function login(userName, pwd){
+        function login(userName, data){
             lock = true;
             $('#loginBtn').attr('disabled', 'disabled');
             var params = {
-                userName: userName,
-                password: pwd,
+                data: data,
                 captcha: $('input[name=captcha]').val()
             };
             $.post('/user/login', params
@@ -36,7 +36,13 @@
 			regex = /\b\w+\b/g;
 		return this.optional(element) || valueStripped.match(regex).length >= params[0] && valueStripped.match(regex).length <= params[1];
 	}, $.validator.format("Please enter between {0} and {1} words."));
-
+    $.validator.addMethod("passwordRule", function(value, element, param) {
+        var length = value.length;
+        var letter=/^.*[a-zA-Z]+.*$/;
+        var num=/^.*[0-9]+.*$/;
+        var symbol=/^.*([^a-zA-Z0-9])+.*$/;
+        return length>10&& letter.test(value)&& num.test(value)&&symbol.test(value);
+    }, $.validator.format("请确保输入的值包含字母、数字、特殊符号"));
 }());
 // Accept a value from a file input based on a required mimetype
@@ -20,6 +20,7 @@ $.extend($.validator.messages, {
 	number: "请输入有效的数字",
 	digits: "只能输入数字",
 	creditcard: "请输入有效的信用卡号码",
+    passwordRule: "请确保输入的值包含字母、数字、特殊符号",
 	equalTo: "你的输入不相同",
 	extension: "请输入有效的后缀",
 	maxlength: $.validator.format("最多可以输入 {0} 个字符"),
@@ -119,8 +119,9 @@
 				},
 				'password' : {
 					required : true,
-					minlength: 6,
-					maxlength: 25
+					minlength: 10,
+					maxlength: 25,
+                    passwordRule:true
 				},
 				'cfmPassword' : {
 					equalTo: '#password'